iOS Google Authenticator fails to register a device with an Invalid barcode error when using OATH nodes in Identity Cloud, AM 7.1.x and 7.2.x
The purpose of this article is to provide assistance if you encounter an "Invalid barcode" error when attempting to register a device with the iOS® Google® Authenticator app. This issue occurs when using a journey or tree that contains the OATH Registration node in ForgeRock Identity Cloud or AM.
1 reader recommends this article
Symptoms
You will see the following error on your device when scanning a QR code with the iOS Google Authenticator app in order to register the device:
Invalid barcode The barcode [URL] is not a valid authentication token barcodeThe same QR code will work with other authenticators such as the ForgeRock Authenticator or the Android™ version of the Google Authenticator app.
Recent Changes
N/A
Causes
The barcode includes = padding characters in the base32 encoded secret, which the iOS Google Authenticator rejects but other authenticator apps just ignore. This is a known limitation with the iOS Google Authenticator.
Solution
This issue can be resolved by increasing the minimum secret key length to avoid padding as follows:
Identity Cloud admin UI
- Go to Journeys and click the journey that includes the OATH Registration node.
- Click the OATH Registration node.
- Enter a new value in the Minimum Secret Key Length field that avoids padding; choosing a value of 40 should typically work.
- Click Save.
AM admin UI
- Go to Realms > [Realm Name] > Authentication > Trees and select the tree that includes the OATH Registration node.
- Click the OATH Registration node.
- Enter a new value in the Minimum Secret Key Length field that avoids padding; choosing a value of 40 should typically work.
- Click Save.